Incoming: Airborne Cyber Attacks No Longer the Stuff of Sci-Fi

One if by land. Two if by sea. How about Three by airborne internet attack?

CISOs will soon need to protect their organizations from virus-like cyber attacks that require little more than for victims to turn on their Bluetooth settings.

“Airborne threats don’t require users to open up an email from a Nigerian prince,” said Nadir Izrael, CTO and co-founder of IoT security startup, Armis. “There are lots of different parts to how wireless communications work and all are vulnerable.”

He said the discovery last year of a security flaw that allows attackers to attack Bluetooth devices was a likely harbinger as more organizations add connected devices to their networks. Last November, both Amazon and Google issued updates to protect their smart speaker devices from a security exploit called BlueBorne, which is activated via Bluetooth, to spread an airborne attack.

Experts have warned for some time about the relative absence of security in connected devices. Indeed, Symantec last year cautioned that voice-activated smart speakers may endanger people’s privacy and online security as the range of activities that can be carried out by these speakers means that a hacker could cause havoc if they gained access.

That challenge is compounded by the presence of significant vulnerabilities in popular wireless protocols used by billions of devices.

Indeed, Izrael used his presentation at the RSA Conference in San Francisco on Wednesday to demonstrate how a hacker can gain control of an Amazon Echo to launch an attack against an enterprise. It took him less than 5 minutes to compromise an Echo hooked up to a network and then take aim at the target. He also showed how easily it was to use Bluetooth to access a device’s media access control address to initiate a man-in-the-middle attack without needing any user interaction.

“This can spread from device to device,” he said, noting the challenge to security practitioners to identify and block attacks traveling through this new airborne vector before they can spread from device to device. “Once infected, the [compromised] device can go on to affect other devices,” he said.

The emergence of seemingly self-propagating attacks transmitted wirelessly presents another dilemma for security practitioners already scrambling to retrofit a myriad of IoT devices to compensate for their poor security design. Smart speakers are showing up in more offices – Izrael cited a survey commissioned by Armis that found 82% of US companies reported having an Amazon Echo in their computing environment – but so are any number of other devices newly equipped with internet intelligence, such as smart TVs and security cameras.

As billions of these new IoT devices come online, Gartner predicts that companies will need to increase their security spending by up to 25% by 2020 to address the cyber security and physical safety concerns associated with IoT.

Now it’s a race against the clock. If IT is slow to get a handle on these new, unmanaged devices, it’s just a matter of time before malicious hackers figure out how to exploit them to drop a new malware payload.

If you found this interesting you may enjoy:

• A guide to the security of voice-activated smart speakers
• ISTR 23: Insights into the Cyber Security Threat Landscape